RSA Admin

Watchlist loading from report output

Discussion created by RSA Admin Employee on Oct 24, 2008
Latest reply on Jan 24, 2011 by ericlevin

I have written the attached Windows Powershell script to replace the dbUpdate_watchlist.cmd to do two things.  The first was to parse the csv file created by an enVision report and loading the data into a Watchlist.  And YES, this does overcome the size limits that can be found in the dbUpdate script.  This new script is based on creating a Watchlist of terminated employees from Windows Security_642 events of their account being disabled by an admin. 

 

It does require that Windows .Net framework and Powershell be installed on the enVision appliance where reports are generated.  This would be on the AS.

 

I wrote this script to combine functions in one script of parsing the csv file to remove the double plus load it into a Watchlist.  Unlike dbUpdate_watchlist which takes input from a file defined with commanline arguements.  But yuo can probably pull out that which you would need to be a true dbUpdate_watchlist replacement.  Or if there is enough demand I could break it out and write a seperate script to read a user created file.

 

This is my first attempt at Powershell so excuse what might not be concise codin.

Outcomes